Wow, thanks a lot for your awesome work on both enigmail and gnupg, dkg! I agree that this should be rolled out to users soon.The classic path of using "stretch-proposed-updates" means that it would land in the next point release (9.6). However, an ETA of that is "not yet planned", according to https://release.debian.org/
Using "stretch-updates", as Salvatore proposed, would accelerate this. This surely qualifies for the criteria described in the announcement.
https://lists.debian.org/debian-devel-announce/2011/03/msg00010.htmlHowever, it's probably "overqualified" for "stretch-updates", since one criteria is being "urgent and not of a security nature". I would argue that this is indeed "of a security nature". For one, it hardens scdaemon and updates cryptographic defaults, both are "of a security nature".
Additionaly, it allows security updates (fixing vulnerabilities) for other packages (thunderbird, enigmail) to be shipped in Debian stable. Debian made the correct choice to ship updated ESR releases of firefox and thunderbird (and chromium) instead of trying to backport all cherry-picked CVE patches. IMHO, then it should also try to keep important dependencies working. Enigmail is widely used, essential for many thunderbird users - and "security" software. dkg has done a lot of work to package enigmail 2 work in Debian.
In addition, dkg's packaging has an outstanding track record. And this gnupg update has been tested, as shown in the tickets.
All in all, I'm for fast-tracking this via "stretch-security". Thanks, and keep up the good work! Daniel Kahn Gillmor:
However, they do have security implications for stretch, because they are needed in order to support enigmail since the thunderbird 60 upgrade.
-- ilf If you upload your address book to "the cloud", I don't want to be in it.
Attachment:
signature.asc
Description: PGP signature